Another possible XSS issue was reported for wordpress:
http://www.frsirt.com/english/advisories/2007/3640
A vulnerability has been identified in WordPress, which could be exploited by
attackers to execute arbitrary scripting code. This issue is caused by an input
validation error in the "wp-admin/edit-post-rows.php" script when processing the
"posts_columns" parameter, which could be exploited by attackers to cause
arbitrary scripting code to be executed by the user's browser in the security
context of an affected Web site.
Original advisory:
http://www.waraxe.us/advisory-59.html
Upstream advisory:
http://wordpress.org/development/2007/10/wordpress-231/
Upstream patch (seems to prevent direct access to affected file):
http://trac.wordpress.org/changeset/6258
This issue only seems to affect wordpress 2.3, which is only in devel/f9 now.
Older versions in f7 and f8 do not seem to contain affected file. Moreover,
exploitation requires register_globals to be enabled, which is not recommended
setup (for years now) nor out default php configuration.